Welcome to Tomorrow... Today

Transcription

1 Copyright 2016 Splunk Inc. Welcome to Tomorrow... Today The need and benefit of merging of IT and Security in today's ever connected world of security and IT Tim Lee CISO, City of LA Ernie Welch Sales Engineer, Splunk

2 Disclaimer During the course of this presentation, we may make forward looking statements regarding future events or the expected performance of the company. We caution you that such statements reflect our current expectations and estimates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-looking statements, please review our filings with the SEC. The forward-looking statements made in the this presentation are being made as of the time and date of its live presentation. If reviewed after its live presentation, this presentation may not contain current or accurate information. We do not assume any obligation to update any forward looking statements we may make. In addition, any information about our roadmap outlines our general product direction and is subject to change at any time without notice. It is for informational purposes only and shall not, be incorporated into any contract or other commitment. Splunk undertakes no obligation either to develop the features or functionality described or to include any such feature or functionality in a future release. 2

3 City of Los Angeles 2 nd largest city in U.S Population: 4 Million Annual visitors: 43 Million 43 departments, 35,000 FTE Critical Infrastructure Sectors 3

4 Mayor s Executive Directive on Cybersecurity I m creating this Cyber Intrusion Command Center (CICC) so that we have a single, focused team responsible for implementing enhanced security standards across city departments and serving as a rapid reaction force to cyberattacks, Mayor Eric Garcetti 4

5 Challenges Siloed SOCs/NOCs Dispersed and massive log capturing Lack of centralized Incident Management capabilities No threat intelligence analysis and sharing platform Limited Situation Awareness (SA) and security metrics city-wide 5

6 Integrated SOC Solution Critical Asset Protection (CAP) 6

7 7

8 Critical Asset A Critical Asset is defined as any system, whether physical or virtual, so vital to the City of Los Angeles and its citizens, that the incapacity or destruction of such systems, or the unauthorized access and/or dissemination of the information contained therein, would have a debilitating impact on the City's security, economic security, public health or safety, or any combination of those matters. 8

9 Critical Asset Protection IDENTIFY DETECT PROTECT RESPOND RECOVER Critical Asset Inventory Data sources & security controls Security goals & use cases Data collection / Logging SIEM/ISOC integration Alert correlation, notification and dashboards KPI monitoring Threat Intelligence service Vulnerability assessment Data Security / Compliance. Policy, Standard and Guidelines. Awareness and Training. Penetration testing and Tabletop exercise Incident Response Plan and Notification Procedure (Department, City-wide) Critical System Recovery Plan (Service Continuity Plan) 9

10 Enterprise Security ES and a bifurcated ISOC dashboard 10

11 IT Service Intelligence Current Deployment We ve deployed 5 of the 43 departments within City of LA We re modeled 38 Services We ve created 30 individual glass tables We re monitoring 160 KPI s We ve enabled ML for anomaly detection / adaptive thresholds We re using Multi-KPI Alerting for advanced notifications 11

12 IT Service Intelligence Role Based Access Control 12

13 IT Service Intelligence Using multi glass tables 13

14 IT Service Intelligence Leveraging core dashboards from ITSI 14

15 IT Service Intelligence Deep Dives and OS Host Details 15

16 Tomorrow Today ITSI multi-kpi Alerts and Notable Events 16

17 ITSI & Security Starting to tie it all together 17

18 Lessons Learned Start getting events into Splunk ASAP Engage Business Service SME s early DB Servers Web Servers App Servers Leverage KPI Base Searches much more efficient Leverage Threshold templates Saves time, builds standards 18

19 What Now? Related breakout sessions and activities 19

20 THANK YOU